php-fpm chrooted to virtfs
Not sure if this is the correct place to post this.
I think php-fpm can be easily chrooted to /home/virtfs/user for a user with jailshell enabled . I have tested this and everything looks fine . I know you guys do it with mod_ruid2 .Note sure why this is left out in php-fpm pools as this makes a perfect alternative for cagefs .
The only drawback I see is that the virtfs bind mounts are initialized only on shell access . so if you make the virtfs mounts auto initialize on account creation or shell change to jailshell that would solve it .
I would be interested to hear the reason if chrooting php-fpm to virtfs was knowingly omitted as I am integrating this in a plugin I develop for cPanel
-
PHP FPM pools will automatically be bound to the virtfs mount for a user in the following conditions: 1. /var/cpanel/feature_toggles/apachefpmjail exists 2. The account is using either jailshell or noshell You should also enable the JailManager chkservd driver which should setup the mounts automatically. 0 -
Ok cool. I think this part is missing in the docs and it would be great info for people who wish to use it . As a personal note ..cPanel should concentrate more on the fpm SAPI and not on ruid2 as this would eventually make adopting other web servers easy. FastCGI is almost universally supported 0 -
Hello @Anoop P Alias, I've opened a case (DOC-8605) with our Documentation Team to see if we can get this information added to our documentation. I'll update this thread with any status updates to this case as they become available. Thank you. Update: The following document is now updated to reflect this information: PHP-FPM User Pools - Documentation - cPanel Documentation 0 -
Enabling JailManager creates the virtfs mounts ok. But I couldn't find the chroot directive in pool file ### [root@li993-97 ~]# ls -l /var/cpanel/feature_toggles/apachefpmjail -rw-r--r-- 1 root root 0 Mar 28 14:31 /var/cpanel/feature_toggles/apachefpmjail [root@li993-97 ~]# grep -i chroot /opt/cpanel/ea-php56/root/etc/php-fpm.d/domaintest.com.conf [root@li993-97 ~]# #### I am testing this on WHM 62.0 (build 17) [TRIAL] The first part is enough for me( as I use a separate pool file for the plugin) ..so you guys may check out why chroot is missing 0 -
One thing to note - /var/cpanel/feature_toggles/apachefpmjail - doesn't create a full virtfs. For example, /home/virtfs/%user%/etc/exim.conf is missing. This affects users ability to use PHP's mail() function with this chroot. Otherwise, it seems to work great, and I think it is a huge, huge step forward in terms of caging a user's filesystem. I thought I had a discussion with Matt about this incomplete virtfs. But I'm not sure where I had that. There's some discussion on the feature request - Enhance FPM support - but I don't see any mention of the incomplete virtfs. I think the lack of some files in the virtfs has to do with /usr/local/cpanel/bin/jailmount not doing a complete mount. Whereas instantiating a full jailshell (i.e. a user logging in with jailshell) does. 0 -
[root@li993-97 ~]# ls -l /var/cpanel/feature_toggles/apachefpmjail -rw-r--r-- 1 root root 0 Mar 28 14:31 /var/cpanel/feature_toggles/apachefpmjail [root@li993-97 ~]# grep -i chroot /opt/cpanel/ea-php56/root/etc/php-fpm.d/domaintest.com.conf [root@li993-97 ~]#
The creation of the file - /var/cpanel/feature_toggles/apachefpmjail - is just a flag. cPanel's PHP-FPM binary has been patched to look for this file. If it is found, the binary automatically enables the chroot. It doesn't modify any PHP-FPM configuration file. You have to have /var/cpanel/feature_toggles/apachefpmjail and you have to be using cPanel's PHP-FPM binaries from EA4 for this to work. Some of the focus I made in the feature request - Enhance FPM support - was to automatically create this virtfs mount point for all users and always have it available, THEN you can add chroot configuration to each PHP-FPM configuration file. I kind of like that way a little bit better (because it doesn't depend on a cPanel patch having to be included) but I'm not going to argue for it too much.0 -
In my test mail was working great. Note that I am using only the php-fpm binary and using my own fpm config and pool files which have chroot= set. Also, I don't understand why someone would patch a software with a feature that it provides out of the box! 0 -
Well, it probably won't work for a new user that doesn't have a virtfs jailmounted. How are you insuring that /home/virtfs/%user% is mounted? The chroot directive is available in PHP-FPM, but the virtfs isn't always created and mounted. That's why it was patched. Is there another way of doing this without patching? Yes. But cPanel sometimes likes to take the road with more twists, bumps, and hills. 0 -
The simple solution I had used in my script before adding the pool file and reloading php-fpm is su -c "touch /home/$user" $user But when the jailmnager driver is enabled ; the above is not needed and the virtfs mounts are auto populated. 0 -
@ sparek-3 - I now see the discussion in the feature request. so from what I understand /var/cpanel/feature_toggles/apachefpmjail is all I need for the copy of php-fpm I run to be chrooted too . Also as a solution to having multiple php-fpm restart, which is mentioned in that thread(its locked there for comments). we can simply have a php-fpm master spawn for all php versions available and all have the pools defined . So if we have 4 php version and 500 users, there will be 2000 sockets each (4 for each user)providing the different versions . So if domain1 need another version ;you just need to change the socket path in apache and not reload php-fpm. The php-fpm pool need to be reloaded only when a user is added or deleted from the system .This is different from the approch cpanel takes by creating a pool for each domain which is unnecessary Here is simple python code I use to spawn the fpm masters - XtendWeb/init_backends.py at ndeploy4 " AnoopAlias/XtendWeb " GitHub Also on another issue mentioned there - spawning separate masters for different cpanel users is also easy and scalable . systemd and related stuff " GnuSys.net SysAdmin Services The only issue is that there must be a watchdog daemon to kill out the master process not currently in use. I am sure these are all hacks that I use for my small script and cpanel team may have better tests/ideas, just mentioning this here as I cannot collaborate on the enhance fpm feature request anymore. 0
Please sign in to leave a comment.
Comments
10 comments